Having worked with Ludo over the years I know how happy the team is to obtain this latest milestone for a great Open Source Directory Server in Java. Having worked with Directory Service products over the last 10 years, the release of OpenDS is even more exciting as it represents a next era in directory service products. For those out there looking for a scalable, easy to use and state of the art, you should definitely check it out. The Java platform allows you to install this OpenDS, from the web, in minutes on a multitude of platforms. It runs great on my MacBook.

Yesterday, Scott, Derrick and I held our Q3 OpenPTK Meeting. The goal was to discuss the final todo’s around the release of OpenPTK version 1.1. You can view the Meeting Minutes to see what we discussed. Some items discussed of particular importance:

Documentation WikiOf interest, we’ve been working on a public wiki that we hope to use for documentation of the 1.1 release. The easy link to remember is:

You’ll see that this redirects you to Sun’s Wiki – Project OpenPTK Site. Feel free to bookmark either. Note that the wiki is still under construction. Feel free to submit any comments you feel would make it easier to use.

Downloads, Code, Issues and Project InfoAnd as always, we are still keeping Downloads, Code, Issue Tracking and Project Info at Sun’s Java.net web site. The easy link to get there will continue to be:

Version 1.1 ReleaseAlthough we haven’t finalized the actual date of the version 1.1 release, we’d characterize it as being pending. With this release, we’ll provide a Release Notes Guide with the new features to version 1.1. As the date becomes available, we’ll be sure to send an email to the OpenPTK mailing lists or mention it on one of our blogs.

OpenPTK Mailing ListYou ask, “How do I get on the mailing list?” Follow these easy steps:

If you have already, Join Us! (You need to create/have a Java.net login)

Click on Mailing List to join one of the mailing lists (announce and users are a couple of good ones).

You may ask, what is Privileged User Access. An aspect is when a developer has access to root access on a Unix system or Administrator access to an AD Domain. I’m sure that happens often in your shop. Over the years, at past companies, I can’t count how many systems, including production customer systems, that I’ve had root access to. And at a minimum, these weren’t secured with even the most basic open source controls like sudo.

So, I ask, of all your Unix systems or AD domains, when you see someone login as root:

Do you know who that person is?

Is it someone on your staff?

Maybe a vendor or partner?

Maybe a competitor?

And even if it is a friendly, should they have that access?

What controls do you have in place to audit that access?

A couple of weeks ago, two leading vendors, Cloakware and SailPoint Technologies, in Privileged User Access and Governance, Risk & Compliance announced a partnership to deliver the industry’s first privileged user audit and compliance management solution.
With this combined solution, you not only get the security of knowing who has access to privileged user accounts, but also the ability to tie Governance, Risk and Compliance around that access.

In other words, my CIO can verify that Terry Sigle has root access to systems A, B and C while my CISO can audit, review activity and provide a role based definition around that access. This closed loop compliance will allow my enterprise to pass the related SOX controls around privileged user access.

I’m currently working on some prototypes around this combined solution and look forward to providing more details. I’d be interested if you have any good stories around privileged user access and how you’ve dealt with audit controls and roles around this.

This past week, SailPoint Technologies’s CTO, Darran Rolls, submitted an open letter to the community for a discussion and call for standards around the exchange of role models, including items such as:

As Darran mentioned in a recent podcast, Role Interoperability is the next big standardization drive in corporate identity. In my travels and work with customers over the past 18 months, every identity project identifies role proliferation as a major problem across systems. Today, we have so many different provisioning solutions, role management products and enterprise applications all authoring their own definition of a role model. Getting these role models to interoperate with each other is making the CIO/CISO’s job much more difficult. These conflicting models along with the growing requirements for SOX based policy’s make it even more difficult.

Products like SailPoint’s ComplianceIQ and it’s Role Management capabilities provide a solid role model for an entire enterprise. These roles can be shared with leading provisioning solutions and enterprise applications, but at a cost. Every integration is somewhat custom and without a common schema or exchange format, some role model specifics can be lost in translation.

So, I’m looking forward to what the industry can come up with in this open call for standards. I hope that this role exchange format can bring out the best in all products with the ultimate goal of supporting that CIO/CISO’s focus on business roles without concern for each product’s rigid definition of a role model.

As this is an open call, I hope to follow this blog with my own interpretation of the key areas I bulleted above. I welcome any comments or suggestions. I also hope to see you out on the Open Role Exchange forum. My id is terry.